Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 687108 (CVE-2019-12499) - <sys-apps/firejail-0.9.60-r1: unauthorized disclosure of information (CVE-2019-12499)
Summary: <sys-apps/firejail-0.9.60-r1: unauthorized disclosure of information (CVE-201...
Status: RESOLVED FIXED
Alias: CVE-2019-12499
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor with 2 votes (vote)
Assignee: Gentoo Security
URL: https://github.com/netblue30/firejail...
Whiteboard: B4 [noglsa cve]
Keywords:
: 693774 693776 (view as bug list)
Depends on:
Blocks: 678976 CVE-2019-12589
  Show dependency tree
 
Reported: 2019-06-01 02:56 UTC by D'juan McDonald (domhnall)
Modified: 2020-03-15 21:45 UTC (History)
3 users (show)

See Also:
Package list:
sys-apps/firejail-0.9.60-r1
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description D'juan McDonald (domhnall) 2019-06-01 02:56:17 UTC
(https://nvd.nist.gov/vuln/detail/CVE-2019-12499):

Firejail before 0.9.60 allows truncation (resizing to length 0) of the firejail binary on the host by running exploit code inside a firejail sandbox and having the sandbox terminated. To succeed, certain conditions need to be fulfilled: The jail (with the exploit code inside) needs to be started as root, and it also needs to be terminated as root from the host (either by stopping it ungracefully (e.g., SIGKILL), or by using the --shutdown control command). This is similar to CVE-2019-5736.


Gentoo Security Padawan
(domhnall)
Comment 1 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2019-08-11 18:44:35 UTC
This "was fixed in 0.9.60, 0.9.56.2-LTS" [1].

[1]: https://firejail.wordpress.com/download-2/cve-status/

Maintainer, do you intend to bump the LTS release?
Comment 2 Dennis Lamm gentoo-dev 2019-08-12 04:53:15 UTC
Hi Aron,

yes the ebuild of the firejail LTS version was bumped to 0.9.56.2.

Best regards,
Dennis
Comment 3 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2019-08-12 22:49:27 UTC
(In reply to Dennis Lamm from comment #2)
> Hi Aron,
> 
> yes the ebuild of the firejail LTS version was bumped to 0.9.56.2.
> 
> Best regards,
> Dennis

Ah, now I see there is a separate package for LTS.

Please call for stable when ready so we can proceed to remove the vulnerable ebuilds.
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2019-09-08 12:10:52 UTC
*** Bug 693774 has been marked as a duplicate of this bug. ***
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2019-09-08 12:11:07 UTC
*** Bug 693776 has been marked as a duplicate of this bug. ***
Comment 6 Agostino Sarubbo gentoo-dev 2019-10-28 07:41:48 UTC
amd64 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 7 Larry the Git Cow gentoo-dev 2020-03-15 21:43:48 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1f4499a201d0bc9431172b00cbd52f1d0943bdba

commit 1f4499a201d0bc9431172b00cbd52f1d0943bdba
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2020-03-15 21:42:47 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2020-03-15 21:43:39 +0000

    sys-apps/firejail-lts: amd64 stable
    
    Bug: https://bugs.gentoo.org/687108
    Package-Manager: Portage-2.3.94, Repoman-2.3.21
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 sys-apps/firejail-lts/firejail-lts-0.9.56.2-r1.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 8 Thomas Deutschmann gentoo-dev Security 2020-03-15 21:45:53 UTC
Repository is clean, all done!